Westpac is looking to assess the risk controls associated with its application estate more widely and frequently in response to changing expectations, particularly of regulators and customers.
Head of controls excellence Jurgen Richter told a recent ServiceNow A/NZ Summit that the bank has used ServiceNow for control self-assessments across its technology landscape for about four years.
Self-assessments are a common governance, risk and compliance (GRC) activity. In this case, it identifies risks associated with key technology systems and the effectiveness of controls used to address or guard against those risks from materialising.
Richter said that mergers and acquisitions contributed to a complex technology landscape at Westpac, comprising “over 1000 applications underpinning business operations”.
While the bank has a standard set of controls it applies to technology systems, it’s typically been constrained in the frequency with which it can assess the efficacy of the controls, and in the number of applications that can be covered by assessments.
That led it to assess controls associated with critical applications, mostly on a once- or twice-a-year basis.
But Richter noted that changing expectations – from regulators, customers and the business itself – meant the bank needed to be able to test faster and more widely across its technology environment and app estate.
“Approximately nine months ago we realised we had to pivot quite fast,” he said.
“So, in terms of our journey, we’ve come from a very static, manual, point-in-time, backward-looking control environment, [and we’re] moving more and more into real-time, predictive monitoring of the environment to feed into the business, for them to make real-time decisions.”
This is being enabled through the progressive automation of control testing – and the bank has set itself some aggressive goals over the next few years.
“We’ve only just started the journey in terms of looking at instead of doing these assessments annually or bi-annually, starting to trigger these more in real-time to provide better, faster, wider coverage across the full technology landscape,” Richter said.
“We’ve got an aggressive strategy over the next three years to get to 70 percent automation in terms of our control testing.
“Most of the banks around the world are targeting 30 to 40 percent. We’re going for 70 percent, so it’s ambitious but doable.”
Real-time results mean there is actual data that can be used to make decisions about control ratings on different applications.
Richter added that the work is also supporting an internal restructure of how the bank is organised.
“Westpac is pivoting from a traditional divisional hierarchical structure to what we call value chains, [which are] end-to-end business processes,” he said.
“As we get in on that journey, the business is expecting to understand how technology is operating across this end-to-end business process.
“What we’re finding is our automation strategy across the controls goes to the heart of that. So, we’re leveraging [our] data to map the applications to the value chains to give [the business] full stack views across their portfolios.”